Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help with Hunt bar, coolwebsearch [CLOSED]


  • This topic is locked This topic is locked

#1
cji

cji

    New Member

  • Member
  • Pip
  • 5 posts
I have ran Spybot and Adaware and manually fixed some problems. I cannot get on the Internet long enough to run anything like TrendMicro before I get an error and IExplorer is shutting down. Currently I am getting an error that says that C:\WindowsSystem32\crzr.exe cannot be found. I have disabled all my startup items but nteh32.exe keep showing up after restart. This is what I have . .


Logfile of HijackThis v1.99.1
Scan saved at 10:52:13 AM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\netav.exe
C:\WINDOWS\nteh32.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {77DA2E10-5D05-0B88-24FA-6EFE91EAF6D6} - C:\WINDOWS\system32\sysue32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [nteh32.exe] C:\WINDOWS\nteh32.exe
O4 - HKLM\..\RunOnce: [netav.exe] C:\WINDOWS\netav.exe
O8 - Extra context menu item: &AOL Toolbar search - res://c:\Program Files\HPSelect\printshop\The Print Shop\Toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\system32\crsb.exe (file missing)


Can anyone give me any advice on this?
Thanks!
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello cji


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You have a nasty CoolWebSearch infection. First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download SpSeHjfix Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.Reboot your computer into normal windows.

Please post a new Hijack log as well as the About buster log

thank you and good luck
  • 0

#3
cji

cji

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks for your help . . . here are the two logs you asked about.

_______________________________________

Logfile of HijackThis v1.99.1
Scan saved at 4:02:35 PM, on 5/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\addoi32.exe
C:\WINDOWS\system32\sysnr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {77DA2E10-5D05-0B88-24FA-6EFE91EAF6D6} - C:\WINDOWS\system32\sysue32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [sysnr.exe] C:\WINDOWS\system32\sysnr.exe
O4 - HKLM\..\RunOnce: [addoi32.exe] C:\WINDOWS\addoi32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://c:\Program Files\HPSelect\printshop\The Print Shop\Toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - - (no file)

____________________________________

Scanned at: 11:30:21 AM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 11:36:30 AM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 3:34:44 PM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\fsmaunin.log:axduk
C:\WINDOWS\MKDEMSG.LOG:tlqpr
C:\WINDOWS\setupact.log:nixcw


Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\fsmaunin.log:axduk
C:\WINDOWS\MKDEMSG.LOG:tlqpr
C:\WINDOWS\setupact.log:nixcw


Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!






Scanned at: 3:42:39 PM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 3:51:21 PM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


_____________________________________________

Thanks so much for you help!
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Cji

Ok we hurt it now lets see if we can finish it off.
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

(Just download what you dont have)

First:
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Workstation NetLogon Service ( 11F#`I)

*NOTE* Make sure the name says Workstation NetLogon Service ( 11F#`I) because there are legitimate service by similar name.

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Run Aboutbuster again
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\yicxs.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {77DA2E10-5D05-0B88-24FA-6EFE91EAF6D6} - C:\WINDOWS\system32\sysue32.dll
O4 - HKLM\..\Run: [sysnr.exe] C:\WINDOWS\system32\sysnr.exe
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149



Using windows explorer( right click start, left click explore)
Search for and delete these files and folders (If found)
C:\WINDOWS\system32\sysnr.exe
C:\WINDOWS\system32\sysue32.dll

Open Ewido
Click on scanner
Make sure the following boxes are checked before scanning:
  • Binder
    Crypter
    Archives


    Click on Start Scan
    Let the program scan the machine
    While the scan is in progress you will be prompted to clean files, click OK

    Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido .txt log file you saved and the 2nd About buster log by using [b]Add Reply
  • 0

#5
cji

cji

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here are the logs . . .

____________________________


Logfile of HijackThis v1.99.1
Scan saved at 8:43:29 AM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\appom32.exe
C:\WINDOWS\system32\msju32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mckux.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mckux.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\mckux.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\mckux.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\mckux.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\mckux.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {513F52ED-5623-F228-1042-41F0E0AEBDA9} - C:\WINDOWS\sysmu32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [msju32.exe] C:\WINDOWS\system32\msju32.exe
O4 - HKLM\..\RunOnce: [appom32.exe] C:\WINDOWS\appom32.exe
O8 - Extra context menu item: &AOL Toolbar search - res://c:\Program Files\HPSelect\printshop\The Print Shop\Toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Workstation NetLogon Service ( 11F#`I) - - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

_________________________________________



(5/30/05 11:39:30 AM) SPSeHjFix started v1.1.2
(5/30/05 11:39:30 AM) OS: WinXP Service Pack 1 (5.1.2600)
(5/30/05 11:39:30 AM) Language: english
(5/30/05 11:39:30 AM) Win-Path: C:\WINDOWS
(5/30/05 11:39:30 AM) System-Path: C:\WINDOWS\System32
(5/30/05 11:39:30 AM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(5/30/05 11:39:32 AM) Disinfection started
(5/30/05 11:39:32 AM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 11:39:32 AM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 11:39:32 AM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 11:39:32 AM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, SearchAssistant:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\yicxs.dll/sp.html#37049
(5/30/05 11:39:32 AM) Stealth-String not found
(5/30/05 11:39:32 AM) No locked Files to delete. End without Reboot
(5/30/05 11:39:44 AM) Disinfection started
(5/30/05 11:39:44 AM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 11:39:44 AM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 11:39:44 AM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 11:39:44 AM) Bad IE-pages: (none)
(5/30/05 11:39:44 AM) Stealth-String not found
(5/30/05 11:39:44 AM) No locked Files to delete. End without Reboot
(5/30/05 11:40:03 AM) Disinfection started
(5/30/05 11:40:03 AM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 11:40:03 AM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 11:40:03 AM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 11:40:03 AM) Bad IE-pages: (none)
(5/30/05 11:40:03 AM) Stealth-String not found
(5/30/05 11:40:03 AM) No locked Files to delete. End without Reboot


(5/30/05 11:40:06 AM) SPSeHjFix started v1.1.2
(5/30/05 11:40:06 AM) OS: WinXP Service Pack 1 (5.1.2600)
(5/30/05 11:40:06 AM) Language: english
(5/30/05 11:40:06 AM) Win-Path: C:\WINDOWS
(5/30/05 11:40:06 AM) System-Path: C:\WINDOWS\System32
(5/30/05 11:40:06 AM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(5/30/05 11:40:08 AM) Disinfection started
(5/30/05 11:40:08 AM) Bad-Dll(IEP): (not found)
(5/30/05 11:40:08 AM) Bad-Dll(IEP) in BHO: (not found)
(5/30/05 11:40:08 AM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 11:40:08 AM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 11:40:08 AM) Bad IE-pages: (none)
(5/30/05 11:40:08 AM) Stealth-String not found
(5/30/05 11:40:09 AM) Not infected->END


(5/30/05 3:26:18 PM) SPSeHjFix started v1.1.2
(5/30/05 3:26:18 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/30/05 3:26:18 PM) Language: english
(5/30/05 3:26:18 PM) Win-Path: C:\WINDOWS
(5/30/05 3:26:18 PM) System-Path: C:\WINDOWS\System32
(5/30/05 3:26:18 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(5/30/05 3:26:20 PM) Disinfection started
(5/30/05 3:26:20 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:26:20 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:26:20 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:26:20 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\yicxs.dll/sp.html#37049
(5/30/05 3:26:20 PM) Stealth-String not found
(5/30/05 3:26:20 PM) No locked Files to delete. End without Reboot
(5/30/05 3:26:22 PM) Disinfection started
(5/30/05 3:26:22 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:26:22 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:26:22 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:26:22 PM) Bad IE-pages: (none)
(5/30/05 3:26:22 PM) Stealth-String not found
(5/30/05 3:26:22 PM) No locked Files to delete. End without Reboot
(5/30/05 3:26:31 PM) Disinfection started
(5/30/05 3:26:31 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:26:31 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:26:31 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:26:31 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Page_URL: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Default_Search_URL: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\yicxs.dll/sp.html#37049
(5/30/05 3:26:31 PM) Stealth-String not found
(5/30/05 3:26:31 PM) No locked Files to delete. End without Reboot
(5/30/05 3:26:41 PM) Disinfection started
(5/30/05 3:26:41 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:26:41 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:26:41 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:26:41 PM) Bad IE-pages: (none)
(5/30/05 3:26:41 PM) Stealth-String not found
(5/30/05 3:26:41 PM) No locked Files to delete. End without Reboot


(5/30/05 3:35:31 PM) SPSeHjFix started v1.1.2
(5/30/05 3:35:31 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/30/05 3:35:31 PM) Language: english
(5/30/05 3:35:31 PM) Win-Path: C:\WINDOWS
(5/30/05 3:35:31 PM) System-Path: C:\WINDOWS\System32
(5/30/05 3:35:31 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\


(5/30/05 3:54:27 PM) SPSeHjFix started v1.1.2
(5/30/05 3:54:27 PM) OS: WinXP Service Pack 1 (5.1.2600)
(5/30/05 3:54:27 PM) Language: english
(5/30/05 3:54:27 PM) Win-Path: C:\WINDOWS
(5/30/05 3:54:27 PM) System-Path: C:\WINDOWS\System32
(5/30/05 3:54:27 PM) Temp-Path: C:\DOCUME~1\Owner\LOCALS~1\Temp\
(5/30/05 3:54:29 PM) Disinfection started
(5/30/05 3:54:29 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:54:29 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:54:29 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:54:29 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\windows\system32\yicxs.dll/sp.html#37049
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: res://c:\windows\system32\yicxs.dll/sp.html#37049
(5/30/05 3:54:29 PM) Stealth-String not found
(5/30/05 3:54:29 PM) No locked Files to delete. End without Reboot
(5/30/05 3:54:32 PM) Disinfection started
(5/30/05 3:54:32 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:54:32 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:54:32 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:54:32 PM) Bad IE-pages: (none)
(5/30/05 3:54:32 PM) Stealth-String not found
(5/30/05 3:54:32 PM) No locked Files to delete. End without Reboot
(5/30/05 3:54:41 PM) Disinfection started
(5/30/05 3:54:41 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:54:41 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:54:41 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:54:41 PM) Bad IE-pages: (none)
(5/30/05 3:54:41 PM) Stealth-String not found
(5/30/05 3:54:41 PM) No locked Files to delete. End without Reboot
(5/30/05 3:55:16 PM) Disinfection started
(5/30/05 3:55:16 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:55:16 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:55:16 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:55:16 PM) Bad IE-pages: (none)
(5/30/05 3:55:16 PM) Stealth-String not found
(5/30/05 3:55:16 PM) No locked Files to delete. End without Reboot
(5/30/05 3:55:18 PM) Disinfection started
(5/30/05 3:55:18 PM) Bad-Dll(IEP): c:\windows\system32\yicxs.dll
(5/30/05 3:55:18 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:55:18 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/30/05 3:55:18 PM) Bad IE-pages: (none)
(5/30/05 3:55:18 PM) Stealth-String not found
(5/30/05 3:55:18 PM) No locked Files to delete. End without Reboot


_________________________________________________

Scanned at: 11:30:21 AM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 11:36:30 AM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 3:34:44 PM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\fsmaunin.log:axduk
C:\WINDOWS\MKDEMSG.LOG:tlqpr
C:\WINDOWS\setupact.log:nixcw


Removed 2 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26


Removed Data Streams:
C:\WINDOWS\fsmaunin.log:axduk
C:\WINDOWS\MKDEMSG.LOG:tlqpr
C:\WINDOWS\setupact.log:nixcw


Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!






Scanned at: 3:42:39 PM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






Scanned at: 3:51:21 PM on: 5/30/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Removed 3 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!






___________________________________________


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:33:23 AM, 5/31/2005
+ Report-Checksum: 26780AB6

+ Date of database: 5/31/2005
+ Version of scan engine: v3.0

+ Duration: 49 min
+ Scanned Files: 105890
+ Speed: 35.99 Files/Second
+ Infected files: 28
+ Removed files: 28
+ Files put in quarantine: 28
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Owner\Application Data\SysDown\sys02468.exe -> TrojanDownloader.Domcom.a -> Cleaned with backup
C:\Documents and Settings\Owner\My Documents\Carrie\download\Macromedia key generator (all products).exe -> Worm.Supova.A -> Cleaned with backup
C:\WINDOWS\apixe32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\atlcd32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\atlri.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar.gp -> Cleaned with backup
C:\WINDOWS\iedn.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\mfclg32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\msjq.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\netbc.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ntef32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ntiw32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\nttu32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\addmk32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\appdy32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\appje32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\atlqa32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\atltj.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\crqi32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d3ra32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ieps.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ietq.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\iphh32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\javasr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\msmy32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ntkr32.dll -> TrojanDownloader.Agent.an -> Cleaned with backup
C:\WINDOWS\SYSTEM32\syshw32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\vtmfs.dll -> Spyware.OneMoreSearch -> Cleaned with backup


::Report End

___________________________________________

Thanks agian!
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello cji

For some reoson this ones hanging on. Please be Patient and run this again
If this doesnt work we will try alternate Methods .Leave the SPSeHjFix out of this one

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Workstation NetLogon Service ( 11F#`I)

*NOTE* Make sure the name says Workstation NetLogon Service ( 11F#`I) because there are legitimate service by similar name.

When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Run Aboutbuster again
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: Fix button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan
-Run it

Run Ewido

reboot
Please post the aboutbuster,Ewido,and the Hijacklog
  • 0

#7
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP